Spamvertised ‘Download your USPS Label’ themed emails serve malware

Cybercriminals are currently spamvertising millions of emails impersonating the United States Postal Service (USPS), in an attempt to trick end and corporate users into downloading and unpacking the malicious .zip attachment distributed by them.

What’s so special about this campaign? Where is the malicious sample phoning back to? Are there more malware samples that also phoned back to the same command control servers in the past? Let’s find out.

More details:

Screenshot of the spamvertised email:

The email contains the following attachment – Label_Details_USPS_Tracking_ID_RANDOM_NUMBER.zip. Once the user unpacks the archive, a malicious binary and a directory containing random strings and empty files will be extracted.

Upon execution the sample phones to the following URLs:hxxp://bing.com/afyu/index.php?r=gate&gh=00cd1a40&group=1607spm&debug=0hxxp://twitter.com/nygul/index.php?r=gate&ac=00cd1a40&group=1607spm&debug=0hxxp://palmerlevelll1931.ru/forum/index.php?r=gate&id=00cd1a40&group=1607spm&debug=0 – 89.144.57.123hxxp://bbc.com/efwgh/index.php?r=gate&cc=00cd1a40&group=1607spm&debug=0hxxp://london-of10.ru/forum/index.php?r=gate&id=00cd1a40&group=1607spm&debug=0hxxp://fb.com/dwrgh/index.php?r=gate&fg=00cd1a40&group=1607spm&debug=0hxxp://chelseaof.ru/forum/index.php?r=gate&id=00cd1a40&group=1607spm&debug=0 – 213.152.180.178hxxp://robinbobin20.ru/forum/index.php?r=gate&id=00cd1a40&group=1607spm&debug=0hxxp://eetoko21.ru/forum/index.php?r=gate&id=00cd1a40&group=1607spm&debug=0hxxp://casioworld2012.ru/forum/index.php?r=gate&id=00cd1a40&group=1607spm&debug=0

Responding to 89.144.57.123 are also the following domains and name servers:
ns1.london-of10.ru
ns2.london-of10.ru
london-of10.ru
ns1.chelseaof.ru
ns1.palmerlevelll1931.ru
ns2.palmerlevelll1931.ru
palmerlevelll1931.ru

As you can see, the botnet masters have also included legitimate domains in an attempt to trick reputation filters into thinking that the malware-infected hosts is phoning back to trusted and malware-free domains such as Bing and Twitter. However, we can easily identify the malicious command and control domains based on their historical reputation. In this case, more malware samples are known to have phoned back to the same C&Cs.